Vulnerability Instance
Lookup for vulnerabilities affecting packages.
GET /api/vulnerabilities/32890?format=api
{ "url": "http://public2.vulnerablecode.io/api/vulnerabilities/32890?format=api", "vulnerability_id": "VCID-1118-wfde-6yax", "summary": "Malicious Package in reques\nAll versions of `reques` typosquatted a popular package of similar name and tracked users who had installed the incorrect package. The package uploaded information to a remote server including: name of the downloaded package, name of the intended package, the Node version and whether the process was running as sudo. There is no further compromise.\n\n\n## Recommendation\n\nRemove the package from your dependencies and always ensure package names are typed correctly upon installation.", "aliases": [ { "alias": "GHSA-g8jc-mm3c-cwhj" }, { "alias": "GMS-2020-464" } ], "fixed_packages": [], "affected_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/142638?format=api", "purl": "pkg:npm/reques@0.0.0", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-1118-wfde-6yax" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:npm/reques@0.0.0" }, { "url": "http://public2.vulnerablecode.io/api/packages/588888?format=api", "purl": "pkg:npm/reques@0.0.1-security", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-1118-wfde-6yax" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:npm/reques@0.0.1-security" } ], "references": [ { "reference_url": "https://www.npmjs.com/advisories/863", "reference_id": "", "reference_type": "", "scores": [ { "value": "9.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H" }, { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://www.npmjs.com/advisories/863" }, { "reference_url": "https://github.com/advisories/GHSA-g8jc-mm3c-cwhj", "reference_id": "GHSA-g8jc-mm3c-cwhj", "reference_type": "", "scores": [ { "value": "CRITICAL", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-g8jc-mm3c-cwhj" } ], "weaknesses": [ { "cwe_id": 506, "name": "Embedded Malicious Code", "description": "The product contains code that appears to be malicious in nature." }, { "cwe_id": 1035, "name": "OWASP Top Ten 2017 Category A9 - Using Components with Known Vulnerabilities", "description": "Weaknesses in this category are related to the A9 category in the OWASP Top Ten 2017." }, { "cwe_id": 937, "name": "OWASP Top Ten 2013 Category A9 - Using Components with Known Vulnerabilities", "description": "Weaknesses in this category are related to the A9 category in the OWASP Top Ten 2013." } ], "exploits": [], "severity_range_score": "9.0 - 10.0", "exploitability": "0.5", "weighted_severity": "9.0", "risk_score": 4.5, "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-1118-wfde-6yax" }